Merge pull request #2972 from ElvinEfendi/fix-ssl-fallback

consistently fallback to default certificate when TLS is configured

internal/ingress/controller/controller.go

@@ -1055,7 +1055,9 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
 			secrKey := fmt.Sprintf("%v/%v", ing.Namespace, tlsSecretName)
 			cert, err := n.store.GetLocalSSLCert(secrKey)
 			if err != nil {
-				glog.Warningf("Error getting SSL certificate %q: %v", secrKey, err)
+				glog.Warningf("Error getting SSL certificate %q: %v. Using default certificate", secrKey, err)
+				servers[host].SSLCert.PemFileName = defaultPemFileName
+				servers[host].SSLCert.PemSHA = defaultPemSHA
 				continue
 			}
 
@@ -1069,6 +1071,9 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
 				if err != nil {
 					glog.Warningf("SSL certificate %q does not contain a Common Name or Subject Alternative Name for server %q: %v",
 						secrKey, host, err)
+					glog.Warningf("Using default certificate")
+					servers[host].SSLCert.PemFileName = defaultPemFileName
+					servers[host].SSLCert.PemSHA = defaultPemSHA
 					continue
 				}
 			}

test/e2e/annotations/luarestywaf.go

@@ -150,6 +150,8 @@ func createIngress(f *framework.Framework, host, service string, port int, annot
 		})
 	Expect(err).NotTo(HaveOccurred())
 
+	time.Sleep(1 * time.Second)
+
 	resp, body, errs := gorequest.New().
 		Get(f.IngressController.HTTPURL).
 		Set("Host", host).

test/e2e/framework/framework.go

@@ -385,8 +385,17 @@ func UpdateDeployment(kubeClientSet kubernetes.Interface, namespace string, name
 	return nil
 }
 
+// NewSingleIngressWithTLS creates a simple ingress rule with TLS spec included
+func NewSingleIngressWithTLS(name, path, host, ns, service string, port int, annotations *map[string]string) *extensions.Ingress {
+	return newSingleIngress(name, path, host, ns, service, port, annotations, true)
+}
+
 // NewSingleIngress creates a simple ingress rule
 func NewSingleIngress(name, path, host, ns, service string, port int, annotations *map[string]string) *extensions.Ingress {
+	return newSingleIngress(name, path, host, ns, service, port, annotations, false)
+}
+
+func newSingleIngress(name, path, host, ns, service string, port int, annotations *map[string]string, withTLS bool) *extensions.Ingress {
 	if annotations == nil {
 		annotations = &map[string]string{}
 	}
@@ -398,12 +407,6 @@ func NewSingleIngress(name, path, host, ns, service string, port int, annotation
 			Annotations: *annotations,
 		},
 		Spec: extensions.IngressSpec{
-			TLS: []extensions.IngressTLS{
-				{
-					Hosts:      []string{host},
-					SecretName: host,
-				},
-			},
 			Rules: []extensions.IngressRule{
 				{
 					Host: host,
@@ -424,6 +427,14 @@ func NewSingleIngress(name, path, host, ns, service string, port int, annotation
 			},
 		},
 	}
+	if withTLS {
+		ing.Spec.TLS = []extensions.IngressTLS{
+			{
+				Hosts:      []string{host},
+				SecretName: host,
+			},
+		}
+	}
 
 	return ing
 }

test/e2e/settings/tls.go

@@ -177,7 +177,7 @@ var _ = framework.IngressNginxDescribe("Settings - TLS)", func() {
 })
 
 func tlsEndpoint(f *framework.Framework, host string) (*tls.Config, error) {
-	ing, err := f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.IngressController.Namespace, "http-svc", 80, nil))
+	ing, err := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, f.IngressController.Namespace, "http-svc", 80, nil))
 	if err != nil {
 		return nil, err
 	}

test/e2e/ssl/secret_update.go

@@ -54,7 +54,7 @@ var _ = framework.IngressNginxDescribe("SSL", func() {
 		})
 		Expect(err).NotTo(HaveOccurred())
 
-		ing, err := f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.IngressController.Namespace, "http-svc", 80, nil))
+		ing, err := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, f.IngressController.Namespace, "http-svc", 80, nil))
 		Expect(err).ToNot(HaveOccurred())
 		Expect(ing).ToNot(BeNil())